Prez: Rick Perry selling his mailing list

I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior -- or misbehavior.

Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.

Here's Ted Cruz's email, sent to my Perry account. It's actually identical to one I received on my Cruz account. (I've hidden the To: address, except for the 'rick' part).

The email headers look like:

Received: from mail3.postup.targetedvictory.com (mail3.postup.targetedvictory.com [69.56.54.35])
 by projectp (Postfix) with ESMTP id 1266C26041B
 for ; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)

Rick Perry uses the company "TargetedVictory" for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn't give his address list to Cruz, but instead let Cruz use the address list.

I saved a copy of Perry's privacy policy when I made the donation. It implies that he won't give out my private information to somebody else, but nothing in the policy says he won't use my private information in this manner. I don't think it's changed, so you can read Rick Perry's privacy policy here and decide for yourself if this use of my private information is valid.


The other email was from Paul Ryan asking for donations to the NRCC. Apparently, the reason Paul Ryan took the job of Speaker was solely for the children.

What is the NRCC? I had to look it upon Wikipedia. It's a SuperPAC setup in 1866 to support House Republicans. They get a couple hundred million dollars in donations every year. There's a similar DCCC for the Democrats.

As a side note: Thunderbird claims this might be a "scam". I love the irony.


So why these emails from Perry? One answer could be money, that they paid him to use his mailing list. Another could be politics, that in exchange for pimping his donors, he could receive political consideration for other things, like being named ambassador or something. Thirdly, he could just be a nice guy who wants to see Republicans and his fellow Texan win.

My bet is this, that we'll see Perry officially endorse Ted Cruz in the next couple weeks, announced at some major event, timed to give Cruz a boost in the polls. If that's the case, then this would be an interesting lesson in how projects like this can scoop what's going on inside the campaigns.

---

Update: Comment thread over at Reddit:
https://www.reddit.com/r/technology/comments/3r00lr/prez_rick_perry_selling_his_mailing_list_today_i/

Prez: donation numbers

I've given $10 to every candidate to monitor what they do. As I blogged before, just before the quarterly filing deadline, I got emails from all the candidates begging for money, to impress people how much money they've gathered. Well, here are amount each candidate received last quarter:

Hillary	29,921,653.91
Bernie	26,216,430.38
Carson	20,767,266.51
Jeb!	13,384,832.06
Cruz	12,218,137.71
Walker	7,379,170.56
Carly	6,791,308.76
Rubio	5,724,784.46
Kasisch	4,376,787.95
Christie	4,208,984.49
Trump	3,926,511.65
Rand	2,509,251.63
O'Malley	1,282,820.92
Huckabee	1,241,737.51
Graham	1,052,657.62
Lessig	1,016,189.22
Webb	696,972.18
Jindal	579,438.39
Santorum	387,985.42
Perry	287,199.29
Pataki	153,513.89

Of course Hillary and Bernie are at the top, since they are the only two major contenders on the Democrat side, so split the pool between them.

What's interesting is that how Scott Walker exited the race, and Jeb! scaled back his spending, because their donations dropped precipitously. Even though they got huge donations last quarter, they spent the money as fast as they could. Presidential campaigns are like venture capital that way: you spend money aggressively in order to make more money. If you are right, this strategy wins, if you are wrong, you go bankrupt quickly. (And going bankrupt quickly is preferable to being a zombie barely hanging in there).

Or, instead of the aggressive strategy, you could just play it cool for a bit, waiting for the press to get tired of Trump. As we say last election cycle, the press would suddenly get excited about a candidate for a bit, they'd shoot up in the polls, start to overspend, then the press would get bored, and their campaigns would go bankrupt. Those who lasted till the end were those who played a more conservative campaign. Maybe banking a bit of money now in order to tide you through the press's fickleness would be a good strategy.

Then there is the Rand Paul strategy. He's got a bunch of rabid followers (like me), so he can keep in the race until everyone has got tired of all the "normal" candidates. His father Ron used that strategy, and it works well.

---

Another way to look at candidate popularity (instead of polls and donations) is betting sites, as tracked by this site. While polls point to Trump and donations point to Carson, that site claims Rubio has the best chance of getting the Republican nomination by far. If you believe this is wrong, and if your beliefs are right, then you can go onto numerous online betting websites (including with Bitcoin) and make the appropriate bet.

In theory, online betting sides are the worst way to predict the winner. Yes, I said worst. That's because if there was enough liquidity in the market for them to be statistically valid, then there would also be enough liquidity for hedging. Consider Rubio. Now that he is leading among betters, he can then invest in betting on his competition. Should his campaign falter (donations drop, lose popularity), then the odds of his competitors will go up. He can thus sell those contracts and make a ton of money, enough to be overcome the drop in donations. Or, everyone can hedge their bets for candidates they know will be hostile to their interests. For example, all 1%ers should be buying contracts betting on Bernie Sanders winning. Sure, they'll lose money as Sanders taxes them to death, but they'll earn a lot of money at 10 to 1 odds on the betting sites.

There have been lots of article on the "wisdom of the crowds", but sadly, none have pointed out this hedging angle that makes their predictions inherently inaccurate.

Yes, the CNBC moderation was biased

In anger over CNBC's left-wing bias, the Republican party has suspended them from moderating future debates. Is there something to this?

Yes and no. CNBC, like most of the media, has a strong left-wing bias. On the other hand, the Republicans are quick to label legitimate criticism as examples of bias.

There is an easy way to detect improper bias. The principle of journalism is that there are two reasonable sides to any debate. One side may be wrong, of course, but both sides are reasonable. Partisan bias, however, involves arguing that one side in the debate is unreasonable. When the press calls somebody a "comic book clown", then it's bias. Merely saying they are "wrong" is not bias.

That's what happened many times during the CNBC moderated debate of Republican candidates, most egregiously when they called Trump a "comic book" version of a candidate. We all know that Trump is a demagogue, that he appeals to the ignorant masses more than intelligent people. But when you drill down on Trumps ideas, what you'll find is that he's usually merely wrong rather than irrational. For example, a couple months ago, Trump was attacked in the press for saying "the constitution is unconstitutional". Actually, if you looked at what Trump really said, in context, you'll find a quite reasonable interpretation of the 14th amendment. Not a likely "correct" interpretation, mind you, but still a "reasonable" one.

Moderators should attack Trump based on the assumption that he's reasonable. Everyone knows you can't deport all the illegal aliens in America without violating everyone's constitutional right to "due process". Does Trump propose suspending due process? Or does he have a concrete plan that'll prove everybody wrong? That's the question I'd ask him, instead of calling him a clown.

But it's not just with Trump where the moderators let their bias show. Another example was a question to Ben Carson on gay marriage. The left-wing press assumes that the Republican stance on gay marriage is due to bigotry, and hence, is unreasonable. That's not true.

Our society is quickly transitioning from a point when gays were ostracized to one where they are accepted. Democrats and Republicans handle this transition in different ways. As "conservatives", Republicans are of course going to handle this by being unwilling to change existing institutions. In particular, marriage has religious associations that Republicans are sensitive to. Had the national debate centered on "civil unions" instead of "gay marriage", as it did in France, you would have seen a very difference response from both Republicans and Democrats.

The CNBC moderator let his bias show by implicitly assuming Republicans were anti-gay bigots in his question to Carson:

MODERATOR: Why would you serve on a company whose policies [gay partner benefits] seem to run counter to your views on homosexuality?
CARSON: Well, obviously, you don't understand my views on homosexuality … [One] shouldn't automatically assume that because you believe that marriage is between one man and one woman that you are a homophobe.

In other words, Carson's response was that his views on homosexuality are not the unreasonable caricature drawn by the CNBC moderator, and that of course gays deserve the same rights as everyone else.

Despite what I said above, gay marriage is indeed cover for a lot of homophobia. Kim Davis is proof: her rampant adultery and four marriages are as far from any Christian definition of the institution as gay marriage. Debate moderators should probe this -- but based on the assumption Republicans are reasonable people and not bigots. An example might be:

Moderator (me): Last year, the RNC put out a video declaring that everyone is welcome in the Republican party: men, women, whites, blacks, hispanics, and so on. Yet they didn’t mention gays. Do Republicans welcome gays? If you get the Republican nomination, what will you do to make gays feel more welcome in the party?

A similar issue is climate change. Republicans don’t deny the scientific consensus behind climate change. They may be wrong, not taking the issue seriously enough, but they aren’t unreasonable people who deny science. But "denialism" is too attractive an argument for Democrats, and the left-wing media has seized upon it, clearly violating their own journalistic principles to make it true.

This bias is apparent in CNBC’s question:

Moderator: Governor Christie, you've said something that many in your party do not believe, which is that climate change is undeniable, that human activity contributes to it, and you said, quote: "The question is, what do we do to deal with it?".

Journalisticly, the moderator's claim that “many in [the] party do not believe” is unsupported by the available evidence. It's a weird thing, because everyone knows it's true, but when you go hunting for the evidence, you'll find it difficult to find. Instead, what you'll find are statements like these at ClimateProgress, which when twisted out of context seem to indicate denialism, but which don't explicitly deny that human acitivity contributes to climate change.

If I were a candidate, I’d prepare for this question with the following response:

Candidate (me): Point of order. You make the claim that many Republicans deny that human activity contributes to climate change. Of the 10 candidates on this stage, Mr. Moderator, how many of us do you think would deny this?
Moderator:
Candidate: Okay fellow candidates, raise your hand if you deny that human activity contributes to climate change.
Candidates:
Candidate: As you know, we Republicans often complain of media bias. What just happened demonstrates why. We want to have substantive debate on this issue, but you can’t stop calling us deniers.

The problem being discussed here is not that journalists believe Republicans to be wrong. Instead, the problem is that journalists believe the Republicans to be unreasonable. Despite the fact that Republicans are often too quick to label valid criticism as "bias", a problem does exist. In the CNBC hosted debate, several questions (as shown here) are based on the erroneous belief that Republicans are unreasonable rather than merely wrong.

OMG, the machines are breeding! Mankind is doomed! DOOMED!!!

My Tesla has the same MAC address vendor code as an AR Drone. These are two otherwise unrelated companies, yet they share the same DNA. Flying drones are mating with land-based autonomous vehicles. We are merely months away from Skynet gaining self-awareness and wiping out mankind.

You can see this in the screenshot below, were we see the output of a hacking program that monitors the raw WiFi traffic. The AR Drone acts as an access-point so that your iPhone can connect to it in order to fly the drone's controls. The Tesla, on the other hand, is looking for an access-point named "Tesla Service", so that when you drive it in for service, it'll automatically connect to their office and exchange data. As you can see, both devices have the same vendor code of "90:03:B7" for Parrot SA.

Here is a picture of the AR Drone cavorting with the car. The top arrow points to the drone, the bottom arrow points to the car.

So why the relationship? Why does the Tesla look like a drone on WiFi?

The company Parrot SA started out creating kits for cars that contain WiFi, Bluetooth, and voice control. Since they were already building embedded WiFi, they apparently used that expertise to make a flying drone controlled via WiFi (from an iPhone app). So while it seems odd that Parrot would sell both drones and automobile components, it's actually overlapping expertise.

Car companies like Tesla don't design everything themselves. Instead, the car is assembled from pieces built by other companies. The leather interior, for example, is made by a company that makes leather for other luxury cars. The paint is a standard automobile paint. Tesla just included the Parrot voice command and WiFi control unit instead of designing their own. I think even the the "autopilot" feature is software algorithms developed by another company. The only bits that are truly unique to Tesla are the batteries, the engine, and stamped aluminium car body.

The same is true throughout the spectrum of Internet-of-things, self-driving cars, and flying drones. All these products are assembled from the same industry base. For example, the nVidia Tegra chips in my Tesla are are the same as can be found in "June Intelligent Ovens". Why do ovens need advanced GPUs in order to display the temperature? I don't know, they just do, otherwise Skynet won't get enough compute power to become sentient.

Samy Kamkar has tool "SkyJack" for attacking drones. It identifies targets based on MAC address vendor code. Thus, his tool could potentially accidentally attack my car instead:

The point is this: the machine people are breeding out of control. This can only lead to disaster. Mankind is doomed.

Dumb, dumber, and cybersecurity

The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.

An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.


But it gets better.

At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:

Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.

There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.

If your boss demands your password to your corporate accounts, of course you must give them your password.


But it gets better. Way better.

While answering the second question, this happened.

Whenever you visit this website, on pretty much any page as far as I can tell, you are going to get this popup asking to chat after a few minutes. At first I thought it was tied to this question (which would be clever), but it isn't -- it's a site-wide thing, unrelated to this quiz.

The correct answer to the underlying quiz questions is "Press Alt + F4", which closes the browser window.  That's because the unwanted popups will often position the [x] carefully in order to exploit "clickjacking" in your web browser. You should never click anywhere on a popup.

But of course, if you did hit Alt-F4 to close the window, you could never complete this "Cyber Security IQ" quiz, because you'd always get this popup.


Here's my point. The "10 steps" article and the "IQ" quiz are why we can't solve cybersecurity. They are created by marketing people with plausible sounding advice, like "make sure you have a firewall". The reason you get hacked is because you listen to this plausible advice, while ignoring the real problems you have. Phishing, password re-use, and SQL injection have been the most popular hacks for 15 years because everyone does cybersecurity the Microsoft way shown above, instead of actually paying attention to the problem. Among your cybersecurity plans you should have three documents entitled "How we stop phishing", "How we stop password re-use", and "How we stop OWASP Top 10". If you don't, you suck.

---

It could be that this popup is an obscenely clever trick into measuring your real IQ. But I tested it. No matter which webpage you go to on the site, after a few minutes this popup appears.

Ethics of killing Hitler

The NYTimes asks us: if we could go back in time and kill Hitler as a baby, would we do it? There's actually several questions here: emotional, moral, and ethical. Consider a rephrasing of the question to focus on the emotional question: could you kill a baby, even if you knew it would grow up and become Hitler?


But it's the ethical question that comes up the most often, and it has real-world use. It's pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA's mass surveillance of Americans?

I point this out because my ethical response is "yes, and go to jail". The added "and go to jail" makes it a rare response -- lots of people are willing to kill Hitler if they don't suffer any repercussions.

For me, the hypothetical question is "If you went back in time and killed Hitler, would you go to jail for murder?". My answer is "yes". I'd still do my best to lessen the punishment. I'd hire the best lawyer to defend me. It's just that I would put judgement of my crime or heroism in the hands of others. I would pay the consequences, whatever they were.


Another way of looking at the question is: "If you had a time machine, is killing Hitler the best option?". Maybe if you sent a hot chick back in time to get Hitler laid as a teenager, he wouldn't be so angry at the world. Maybe if you went back in time and purchased his crappy paintings, or hired him as an architect, you could steer his life onto another path. Seriously, the time stream is full of butterflies that simply need to flap their wings in order to divert Hitler from genocide.

I point this out because it's "murder" that is the question, and Hitler is only window dressing.

There is a cybersecurity bill, "CISA", in front of congress right now that will be voted on next week. But "cybersecurity" is only the window dressing. The tech industry and cybersecurity experts oppose it. Its only supporters are the intelligence community, like the FBI and NSA. It's really a disguised surveillance bill. Just like people seem uninterested in stopping Hitler through some means other than murder, government is uninterested in stopping hackers through some other means than mass surveillance and a police state.


Anyway, those are my two answers to the "kill Hitler" question. If I had a time machine, my first choice wouldn't be "murder". If I did choose "murder", I'd expect to go to jail for it.

Car hacking is as fake as the moonlanding

How can the flag stay up? There's
no wind on the moon!! #fake

David Pogue at the Scientific American has an article claiming that hacking cars is "nearly impossible" and "hypothetical", using the same sorts of arguments crazies use trying to prove the moon landing was faked.

Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.

Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.

The misunderstanding here is that Pogue believes the hack was a one time thing, that now that Jeep fixed the problem, no more hacks will be possible in the future.

The reality is that this hack proves that a whole new class of bugs exist. You don't patch your iPhone or Windows laptop once. Instead, you've been updating your iPhone and Windows computer once a month for over a decade because new hacks keep getting discovered. The relevance of the "car hacking" research is that cars are enormously complex computers full of flaws. It's a message that nobody will pay attention to until the first set of flaws are published. Now that those flaws have been exposed, it'd be insane to continue to ignore this message and pretend future flaws won't be found. Pogue is that insane.

The consequence is manifold. It means that car makers need to find an easier way to regularly update their software rather than the traditional "recall" process of taking the car to dealer and leaving it there for a few days. It means car makers need to change how they develop software, getting rid of the obvious bugs they have now (such as putting Jeeps on the Internet so that anybody can scan and find them).


This is the battle of cybersec. The issues are clear and obvious to us, yet we are unable to overcome the obstinate ignorance as demonstrated in Pogue's post.

---

Disclaimer of reasonableness: It's impolite to accuse an otherwise reasonable person as being one of those "fake moon landing" nuts. Indeed, he makes a cogent point that many will misinterpret things and be too fearful of car hacking. Automobile related deaths are unlikely to have a statistical increase due to car hacking. He's not crazy. However, Pogue is profoundly ignorant of the issue, his strong assertions are not born out by the facts, and this is indeed a danger that needs to be addressed. I don't know how to communicate the profoundness of his error without comparing it something like the moon landing.

---

Update: Many have argued Chris Valasek and Charlie Miller went too far, demonstrating their hack on a live freeway. They claim it would've been just as believable on a racetrack instead. Pogue article proves this wrong. It means Pogue would've added to his article "It wasn't in real traffic conditions, but only on a racetrack". We experts see no essential difference, but the ignorant like Pogue do. Obviously, Valasek and Miller didn't go far enough.

Biden vs Risk Analysis

What we try to do in cybersecurity is "risk analysis". Most people get this wrong.

An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.

The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.

Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.

In other words, would you pay $10 for a 5% chance of winning $1000? Of course you would. In the long run, the expected payout on such bets is five-to-one. Would you spend a year's worth of hard work for a 5% chance to win the presidency? Of course you would.

I suspect the real reason Biden didn't run is technical. He needs a competent team, but I suspect that the most competent people are already working for the ~20 other candidates. He needs party support, but I think Hillary has got all the party power players committed to her. Biden needs some powerful backers to get the ball rolling, to fund the first steps to get the stream of donations from the common people coming in, but I think they've all spent these season's budget on some other candidate. Or, maybe Hillary has dirt on him, and he's being blackmailed not to run. Whatever the reason, it's something technical like this.

In conclusion, risk is math, not rhetoric. Statements like "Biden can't win" or "computers aren't secure" are nonsense. Actual numbers are what we should be paying too.

DEF CON drink-off -- for science!

The DEF CON hacking conference is a mixture of techies and drinkers. I propose we exploit this for science. Specifically, we should take a look at vodka. Vodka is just ethanol and water with all taste removed by distillation and filtering. We can answer two important questions.

1. Poorly made, cheap vodka lets too much of the (bad) flavor through. Can this be improved by running it through a filter? (Such as a cheap Brita water filter).
2. Well-made vodka should be indistinguishable from each other. Can people really taste the difference? Or are they influenced by brands?

We need to science the shit out of these questions with a double-blind taste test. DEF CON is a perfect venue for getting a statistically relevant number of samples. We should setup a table in a high-traffic area. We'll ask passersby to taste a flight of several vodkas and to rate them.

I suggest the following as the set of vodkas to test.

1. Smirnoff, by far the market leading vodka in America, a "mid-shelf" vodka at $22 for a 1.75 liter bottle.
2. Grey Goose, the third most popular vodka in America, a "top-shelf" vodka for $58 a 1.75 liter bottle.
3. A randomly chosen "bottom shelf" vodka, chosen at the local liquor store, for the cheapest price (around $10 for a 1.75 liter bottle).
4. That same "bottom shelf" vodka, but this time filtered through a Brita system.
5. Costco vodka, which costs about $14 for a 1.75 liter bottle. Costco notoriously sells high-quality products for a low price.

These are all 80 proof (40% ethanol). I suggest half-shots (20 milliliters) in little paper cups, which is about 80 samples per 1.75 liter bottle. All five bottles would cost $114 combined. We'd want a large number of subjects, around 500, so it'd be about $700 worth of vodka. We couldn't possibly sell the vodka, but we could ask for donations, asking tasters to contribute $1.50 for the flight they've tasted. This would help defray the costs.

The test should be blind, so that the subjects have no idea which vodka is which. Each subject should taste the five in a different random order, so that ordering doesn't affect results. Furthermore, the test should be double-blind: one tester first decants the original vodka into numbered bottles, so that the other testers manning the table do not themselves know which is which, and therefore cannot influence the subject's judgement. We'll need to get a set of identical bottles, which means everyone will need to pitch in helping empty some bottles the night before.

Tasting should be done "neat" (not mixed with anything else) and at room temperature. Mixed ingredients kill the taste of vodka, making it harder to tell the difference. Chilled temperatures likewise kill the taste, so the warmer the better.

---

Alternate protocol

There are a number of alternate experiments we can run. I chose the above example for ease-of-testing. But, as @paulm has pointed out, it'd probably be better just to test two vodkas at a time, side-by-side.

In this alternate experiment, we'd have the same 5 vodkas to start from. We'd pick one out of random of the five, and give it to the subject. We'd then pic a second at random from all give, and give it to the subject. We'd then ask the subject to determine which is better, or if they taste the same. (In one-in-five cases, they actually will be the same).

The biggest problem is logistics. It'll take about 5 minutes per person, or 12 people per hour, or 80 people per day. I'm guessing it would be roughly the same amount of time per subject whether they take 2 samples or 5.

Another problem is number of bottles. You need two groups of five to choose from, so that they subject can't tell when they've been given two of the same vodka.

The biggest problem is statistics. Assuming we can get 500 samples, any particular combination only occurs 10 times. That makes answering narrow questions like "Is Grey Goose better than Smirnoff?" difficult. This can be solved by narrowing the choices, but I don't like that. There may be some weirdness about that particular combination that you wouldn't see given a different combination. If we are testing "Can rotgut be improved by filtering?" I'd rather have a variety of different vodkas to test against.

DH-1024 in Bitcoin terms

The recent paper on Diffie-Hellman "precomputation" estimates a cost of 45-million core-years. Of course, the NSA wouldn't buy so many computers to do the work, but would instead build ASICs to do the work. The most natural analogy is how Bitcoin works. Bitcoin hashes were originally computed on CPU cores, then moved to graphics co-processors, then FPGAs, then finally ASICs.

The current hashrate of Bitcoin 460,451,594,000 megahashes/second. An Intel x86 core computes about 3-megahashes/second, or 153,483,864,667 CPU cores. Divided this by 45-million core-years for precomputing 1024bit DH, and you get 3410 DH precomputations per year. Thus, we get the following result:

The ASIC power in the current Bitcoin network could do all the necessary precomputations for a Diffie-Hellman 1024 bit pair with 154 minutes worth of work. Or, the precomputation effort is roughly equal to 15 bitcoin blocks, at the current rate.

(Update: I did some math wrong, it's 154 minutes not 23 minutes)

---

Another way of comparing is by using the website "keylength.com", which places the equivalent effort of cracking 1024 DH with 72 to 80 bits of symmetric crypto. At the current Bitcoin rate, 72 bits of crypto comes out to 15 bitcoin blocks, matching the estimate above. (I assume precomputation is roughly the same amount of work as computing 1024 DH).

Infosec is good people

For all that we complain about drama in our community, we are actually good people. At a small conference yesterday, I met "Kath". She just got her degree in advertising, but has become disillusioned. Her classes in web development and app development have shown her how exploitative online advertising can be. ("PHP has made me cry" -- yes, it's made all of us cry at some point).

She's felt alone, as if it were only her who that those feelings, then she discovered the EFF, and privacy activists like Yan (@bcrypt) who have been fighting for privacy. Kath grew up in the middle of nowhere in Texas, and went to college in another middle-of-nowhere place in Texas. Being a muggle, she's never heard of infosec before -- but she got a ticket and flew to New York to attend this little infosec conference where Yan was speaking. (Well, that and also to apply for the NYU graduate program in media).

She found things she didn't expect. She found, for example, how she can contribute, using her skills in usability to make crypto and privacy better for users. She also found a community that was accepting and approachable. Advertising is a hierarchy, with those on top unapproachable from those on the bottom. In infosec, you can just go up and talk to anybody -- and she did.

The conference, "SecretCon", was put on by Elissa Shevinsky (@elissabeth). Elissa didn't focus on the infosec community as such, but instead marketed the conference to otherwise outsiders. It was a highly diverse set of people. I met "Dave" who is building an Android app that needs better authentication, so gets drawn into this community. I met "Kacie", who does sysadmin for a startup education company, who has to secure her systems. While many attendees were outsiders, the speakers were still insiders. No, they weren't there to discuss their latest 0day. The talks were more like TEDx where experts discuss the things they are expert in. I'd actually never seen Jon Callas and Yan speak before -- they are actually great speakers.

My point is this. They all found a nice community. While we spend a lot of time discussing what's wrong with our community, we really rock. So there.


PS: TED sucks, TEDx is less bad -- I don't mean to disparage SecretCon by comparison. I'm just pointing out that it's not the "latest 0day" style insider talks :).

Jeb Bush is a cyber-weenie

Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.

For example, his recent position opposing "NetNeutrality" regulations says this:

these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their services

Uh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.

Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.

Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.


A better example is Jeb's position on cybersecurity. His position is essentially that we need to create a Cyber Police State to solve the problem. He opposes the free market, wanting government regulate business cybersecurity. He uses terms like "public-private partnerships", which are terms invented by Democrats to justify over-regulation.

One position paper talks about the CISA bill:

We are not powerless unless we choose to be. It would be a start for the President to show leadership on Capitol Hill, and to throw his weight behind the House’s effort to improve cybersecurity information-sharing between the government and the private sector — a critical impediment to cybersecurity according to experts.

Uh, what "experts"? I am a top expert. I know the other top experts. I know of no expert who believes this -- except those who have close ties to the government. Most experts oppose the CISA bill in question, as a violation of civil liberties that would have an insignificant benefit to cybersecurity.

Beyond the "sharing" features of CISA, the bill would almost certainly contain amendments that will make us weaker. Cyber-weenies in government can't tell the difference between cyber-criminals and cyber-defenders. These amendments that attempt to crack down on cyber-criminals inadvertently threaten cyber-defenders. The current law already has a minor chilling effect on cyber-defenders -- rather than fixing that problem, the proposed changes would create a huge chilling effect.


Cyber-issues are important. Instead of farming out position papers to flunkies with little knowledge of cyber, they should get competent people. For example, the controversial Derek Khanna is a policy wonk who is not a weenie on cyber issues.

Here are some off-the-cuff cybersecurity policy suggestions. While not much thought has gone into them, I claim they are vastly better than Bush's. They are based on Republican principles, as well as cybersecurity expertise.

1. Retaliate against China

In reality, most cyber attacks from China are not directed by the government. It's just that they encourage a culture that rewards people who hack America. But we do have have clear evidence of the Chinese government conducting cyberwar against the United States, such as the DDoS on GitHub.

Retaliating in cyber-space itself is a bad idea, as that legitimatizes cyberspace as a battleground for attacks against us. But we should retaliate in other ways, such as trade restrictions. In the near term, this will hurt the United States, too. But in the long run, China needs to fear consequences for it's unrestricted hacking against us. Without consequences, China will never stop.

2. Government fix thyself

Before government tampers with the free market, they need to solve their own cyber issues first. We can't expect the government to "promote best practices in the private sector", as Bush wants, unless they first implement those best practices in the government sector.

That the OPM hack happened is inexcusable. It's not simply that OPM failed at "best practices", but that the data never should have been Internet-accessible in the first place. I point to this policy because it's radically different from Jeb Bush's. Disconnecting a department's computers from the Internet is a radical policy that doesn't happen because of internal resistance. It takes a strong leader with a competent cyber team to overcome such resistance.

Bush's solution to OPM, firing the leaders, is attractive, but incomplete. You also fire leaders who don't deliver on other demands, such as easy access to data from other departments. Sometimes these demands are incompatible. It's often the leaders above departments who are fault, giving subordinates an impossible task. It's the sort that says "I don't care about the obstacles -- just make it happen". What you've created is an environment where the leaders choose the option that will keep them in job the longest. That means doing the insecure thing now, to avoid getting fired now, and hope hackers don't find out until they've moved onto some other job.

3. Get a technical cyberczar

From Bush's brother through Obama, all cyberczars have been cyber-weenies with essentially no technical knowledge. Indeed, the current cyberczar prides himself on his lack of technical knowledge, believing (falsely) that it allows him to see the bigger picture without getting bogged down in details.

In truth, he's right that most problems aren't technical in nature. A cyberczar skilled in technology, but unskilled in government, will have a lot problems. But here's the thing: everything starts as a technical problem. Government has a culture of cyber-weenies with nobody, from the top on down, being competent to solve technical problems. Teams remain dysfunctional because their leader doesn't have sufficient technical skill to know that lacking technical skills are the problem. Change needs to start at the top, meaning establishing a minimum set of technical credentials for the cyberczar, then among those qualified choose the best bureaucrat.

4. Support the defenders

Right now, because of government cluelessness, the defenders are under attack. CISA amendments threaten them. CFAA extensions threaten them. Export restrictions threaten them. Corrupt copyright interpretations threaten them. Civil lawsuits threaten them. The recent executive order declaring a "cyber state of emergency" threatens them. Heck, the president has arrogated to himself the power to drone strike a cyber-expert he feels may be a threat to national security.

I scan the entire Internet looking for things like Heartbleed (a famous vulnerability), and report what I find to the cybersecurity community. But I exclude military systems from such scans, because our military threatens me. This doesn't stop the Chinese, of course. Therefore, the Chinese know about such weaknesses in our military systems, but the American people don't.

This is an application of what's known as "Kerckhoffs's principle", which underpins cybersecurity, which promotes openness and transparency -- a principle opposed by cyber-weenies in government who believe in keeping everything secret, even from defenders.

Empowering defenders is almost a 2nd Amendment thing. Current government policy takes away power from the defenders, trying to give government a monopoly on cyber-defense.  Good Republican policy should be the opposite, to do more to empower the people to defend themselves.


Conclusion

Reasonable people can disagree about policy. My point here isn't to declare the best policy. My point instead is to highlight the flaws in Jeb Bush's policy. His people have created positions that are typical government insider generalities, demonstrating no actual expertise in the subject. He declares that the next leader of this country needs to solve this problem -- while demonstrating he isn't the leader to do so.

Disclaimer: I've donated $10 to the Jeb Bush campaign, and will vote for whichever Republican candidate wins the primary over any Democrat (except Trump, of course).

Prez: Candidate synchronization

So last week I gave $10 to all the presidential campaigns, in order to watch their antics. One thing that's weird is that they often appear to act in unison, as if they are either copying each other, or are all playing from the same secret playbook.

The candidates must report their donations every quarter, according to FEC (Federal Elections Commission) rules. The next deadline is September 30th. Three days before that deadline, half the candidates sent out email asking for donations to meet this "critical" deadline. They don't say why it's critical, but only that's is some sort of critical deadline that must be met, which we can only do so with your help. The real reason why, of course, is that this information will become public, implicitly ranking the amount of support each candidate has.

Four days before this deadline, I didn't get donation pleas mentioning it. Three days before, half the candidates mentioned it. It's as if one candidate sees such an email blast, realizes it's a great idea, and send's out a similar email blast of their own.

Two days before the deadline, three of the candidates sent out animated GIFs counting down to the deadline. (These were auto-generated with a PHP script when I read the emails to be accurate to the then current time, but are of course now out of date.)

All three arrived within an hour. I don't know which candidate did it first.

One theory is that they are copying each other. The teams for each candidate watch their competitors rather like I am, then whenever one candidate does something good, everyone else playscatchup.

Another theory is that they may all be playing from the same playbook. Professional campaign people move around campaigns a lot, so they all might be copying things that other people have done in the past. It's really weird how so many candidates appear to act all in unison, even those of different parties, which really hints they'd planned on doing these things, at these specific times, long ago.

I gave $10 to every presidential candidate

What happens when your candidate drops out of the 2016 presidential race? What do they do with the roughly million names of donors they've collected?

I've decided that somebody needs to answer this question, so I've donated $10 to each of the roughly ~25 current presidential candidates (yes, even the hateful ones like Trump and Lessig). By donating money, I've put myself on the list of suckers who they can tap again for more donations. After the election next year, we'll be able to figure out how each candidate has used (or misused) the email addresses I gave them.

For most candidates, the first two pieces of information they ask of your is #1 your email address and #2 your zip code. They need the zip code so that when there is a local rally in your area, they can contact you to get your turn out. But as a side effect, it means being able to extract favors from local politicians. 

I suspect one use of this zip information is when one Representative goes to another and says "If you support my bill, I'll blast out a fund raising message for you to all my donors who are in your district". Therefore, to do this right, I'd have to make a donation from every congressional/senate district in the country. I'm not willing to go that far.

A donor list also adds to their influence within their respective parties. I suspect that once they drop out of the race, candidates will start pumping their email lists with pleas for donations to the party.

Interacting with the various websites tells me a lot about the candidates. Hillary's gave me the impression of one the smartest websites. She appeared to handle all the important technical features herself on the website, rather than outsourcing everything to third parties (as you'd expect, since she's been running for president longer than the Internet has been around). Once you sign up on the website with an email address, and then decided to donate, her's was the only website to filled in your address/zip for you, so that you didn't have to type them in again.

Conversely, Bernie Sander's website gave the impressing of a bumbling old grandpa that still doesn't understand the Internet. Mike Huckabee had its own set of problems, namely SSL errors meaning his forms weren't securely submitting credit card numbers.

Rand Paul was the only one who accepted Bitcoin, of course.

There is a wide spectrum on exactly what the website does. For many candidates, it's just a storefront. You go to the site once to donate and find out about the candidate's stance on the issues, but then you never go there again. Others are more complex, going full tilt interacting with people over the Internet. Rand Paul's website is very complex this way -- such as providing images for supporters to put on their blogs (as shown here). But then, he's really more part of a wacko libertarian movement than just a candidate.

These sites don't like like they did 8 years ago. All the websites have big fonts and images, so that their content works well on phones. Marco Rubio has this annoying "infinite scrolling" thing going on. Rick Perry has a pretty awesome video (instead of image) as the background.

The websites vary in their use of dark patterns. These are techniques on websites that encourage people to accidentally do the wrong thing, such as sign up for things they didn't intend. Most of the emails contain tracking images/links designed to detect when you've received an read your emails, to invade your privacy. Most websites do their best to invade your privacy from various tracking companies, in order to discover more about you.

Websites are like sausage: you don't want to see the messy tricks your beloved candidate is really doing behind the scenes.

Anyway, over the course of the coming election, I'll blog about use and misuse of email addresses. Four years from now, I'll probably write a post about how this crop of candidates has turned out.

Zerodium's million dollar iOS9 bounty

Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.

It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.

The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).

Every time Apple comes out with a new version (like iOS9), they fix old vulns, requiring intelligence organizations to scramble to come up with new ones. Since 50% of iPhone users have updated to iOS9 in the past three days, intelligence organizations are "going dark" quickly -- unless they can get a new 0day.

One of the keywords in Zerodium's statement is "exclusive". What that means is Zerodium plans on reselling the same bug to multiple governments. I would expect such bugs to actually sell for only around $300,000. Thus, I expect that Zerodium intends to make a profit by reselling the bug, non-exclusively, to multiple governments. If they can sell it to four different countries for $300,000, they'll make a profit. On the other hand, some countries will pay more for exclusive access to a bug -- paying for the privilege of cyber-superiority.

Another keyword is "untethered", meaning the implant will be "persistent" even after the phone is turned off and on again. From what I've heard, this is the most difficult part, where in some cases they just don't have persistence. Instead, they'll rely upon the fact that people rarely let their phones run out of batteries, and the fact that if they've adequately tapped the network, it's trivial to re-exploit the phone.

Note that there other elements to an iPhone browser kill-chain. You have to not only get an 0day in the browser, but you need a separate 0day to escape the sandbox. It'll then take further privilege escalation 0days in order to get the implant successfully installed on the phone, and to access things like the microphone in order to eavesdrop on conversations, such as the all-important Facetime.

The price for important 0days has been going up every year. It's actually quite plausible that a single intelligence organization (China or the NSA) may be willing to pay $1 million for exclusive access to such a bug. If not now, the that may happen in the next few years.

At this point, Zerodium is late to the game. The beta for iOS9 has been available to developers for a while. Chances are good that whoever is selling 0days already had them available on, well, day zero of the iOS9 launch. If not on day zero, then the day after as they tweeked their exploits for the release version.

In summary, my point is this: Zerodium phrases their bounty in terms of "jailbreaks", but I'm pretty sure the market for "intelligence 0days" is much greater. Actually using it for jailbreaks would mean it would quickly get reverse engineered, and even fixed by Apple, so I doubt they'd use it for that purpose.

Some notes on NSA's 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.


Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, and a notional one where they deal with the bureaucratic nonsense that is government. This VEP document is probably the second one.

I don't think the redactions hide anything of consequence. For example, take a look at the first redaction:

The missing words are "Offensive Capabilities", and this isn't too hard to figure out.

The next redaction is refers to paragraph 49 of NSPD-54/HSPD-23. Well, EPIC got this document a while ago, and it's here (http://fas.org/irp/offdocs/nspd/nspd-54.pdf) (also here). Though paragraph 49 is redacted here, we can read it form the original document there.

Activists have pointed out this unhelpful part of the document:

But as the text says, these parts redacted here are simply a summary for what is detailed in the sections below. Those are mostly not redacted. So we can reconstruct the process:

a. All 0days must first be sent through this process before anything else (with exceptions).
b. Each department involved will designate a point-of-contact who ensures their organization is represented in the process.
c. This process applies only 0days (newly discovered vulns that aren't publicly known).
d. The NSA is in charge of this process.
e. Any organization that gets an 0day gives it to the NSA, then the NSA distributes that 0day to all the member organization point-of-contacts.
f. Organizations will then evaluate the 0day, and then have their point-of-contact report what the organization believes should be done (e.g. use for cyber-offensive, or contact vendor and have them patch it).
g. The executive board made up of all organizations will decide what to do with the 0day.

The organizations involved are intelligence (NSA, CIA, etc.), military (Army, Air Force, JSOC, etc.), Departments of State, Justice, Commerce, Treasury, Energy, and of course, Homeland Security.

I'm not sure what the word "equities". I think it means anybody who has an "ownership interest" in an 0day. These are listed in Appendix A, but most are redacted. They show the "defensive" need and essentially nothing else.

But we know what the redacted equities are about "offensive" use of vulns, in particular, for intelligence and for military operations.

Whatever this policy states, I'm sure practically things are handled much differently. For 0days in SCADA/ICS equipment, for example, they go directly to the Department of Energy, and the focus will be on getting those things patched.

On the other hand, the NSA has its offensive programs. Every time Apple updates iOS with new Safari protections, they'll buy the first 0day that gets around it. I suspect there's just a standing item of "iPhone 0days" where all departments have agreed that go to the NSA for offensive exploitation, since the particulars (other than iPhone version) never change. Indeed, the NSA has a whole class of similar bugs, bought from the 0day market that flow through to their tools for exploitation.

Moreover, as I read the document, the NSA (at its discretion) can trump the entire process and keep things secret. For example, if somebody sold a way to factor 2048 bit numbers to the NSA for $1 billion, they'd keep that secret from everyone in the government except maybe the President. It'd be interesting knowing how often this has happened.

Note that this document is phrased in terms of 0days the government just happens to come across. To some extent this is valid, where the Department of Energy and DHS comes across 0days in industrial systems. But mostly what's talked about here is where the NSA buys 0days in the shady underground vulnerability market. Again, this shows a difference between the claimed process in the document, and what's really happening.


Summary

So in summary, as we reverse engineer the redacted bits, we see just what we'd expect for offensive use of 0days. As we read the document, we see just what we'd expect from bureaucracy. The missing bits aren't the redaction themselves, but what practically happens in the real world: this policy seems aspirational, what everyone agrees is the official policy, and how 0days are handled that nobody really cares about. But for the real 0days that the NSA uses, like whichever latest iPhone 0day that exists, I suspect in practice there's a very different process.


Update: Kim Zetter has discussions of the "equities" process in her Stuxnet book. Where this post just reflects my experiences with the government, her book is researched talking to lots of people.

---

Op-ed: By the way, I disagree with most privacy/security activists. I think it's nonsense that the NSA buying 0day makes our computers less safe; I suspect quite the opposite is true. I do think the NSA has gone too far and needs to be reigned in a bit, but there's nothing special about 0days in this regard.

There are two sides to every story

In today's "clock" controversy, the clock didn't look like these:

Instead, this is the picture of the device (from the police department):

It's in a "pencil case", not a briefcase. You can compare the size to the plug on the right.

They didn't think it was a bomb, but a "hoax bomb". If they thought it might be a real bomb, they would've evacuated the school. Texas has specific laws making illegal to create a hoax bomb -- it is for breaking this "hoax bomb" law that the kid was arrested.

This changes the tenor of the discussion. It wasn't that they were too stupid they thought it was a bomb, it was that they were too fascist believing it was intentionally a hoax.

These questioned him, and arrested him because his answers were "passive aggressive". This is wrong on so many levels it's hard to know where to begin. Of course, if the kid's innocent his answers are going to be passive aggressive, because it's just a clock!!!

It was the english teacher who turn him in. Probably for using a preposition at the end of a sentence. The engineering teacher thought it was a good project.

It's actually a sucky project. He didn't build his own clock so much as put existing parts of a clock together into a box.

Maybe with less hate

I wanted to point out President's rather great tweet in response to Ahmed Mohamed's totally-not-a-bomb:

Cool clock, Ahmed. Want to bring it to the White House? We should inspire more kids like you to like science. It's what makes America great.

— President Obama (@POTUS) September 16, 2015

The reason this tweet is great is that it points out the great stupidity of the teachers/police, but by bringing Ahmed up rather than bringing them down. It brings all America up. Though the school/police did something wrong, the President isn't attacking them with hate.

The teachers/police were almost certainly racist, of course, but they don't see themselves that way. Attacking them with hate is therefore unlikely to fix anything. It's not going to change their behavior, because they think they did nothing wrong -- they'll just get more defensive. It's not going change the behavior of others, because everyone (often wrongly) believes they are part of the solution and not part of the problem.

Issues like Ahmed's deserve attention, but remember that reasonable people will disagree. Some believe the bigger issue is the racism. Other's believe that the bigger issue is the post 9/11 culture of ignorance and suspicion, where common electronics projects are seen as bomb threats.

But in today's political discourse, anybody who disagrees is labeled unreasonable. Those who think "ignorance" was a bigger issue than "racism" are viciously attacked for not taking racism seriously enough.

Even that is not enough hate. "Social justice" activists have used this incident to attack all white people for the crime of being "privileged".

What @IStandWithAhmed has gone through is a reminder of how whiteness = privilege. Great to see the hacker community rising up in support.

— Gabriella Coleman (@BiellaColeman) September 16, 2015

There's so little room to experiment and play and invent even if you're white, and when you're not, you're not even given room to breathe

— S.M.H. Jeong (@sarahjeong) September 16, 2015

We need less hate in the discussion. If you are a white nerd who believes the problem was ignorance more than racism, your opinion matters, too.

Personally, while the racism angle is more objectionable, the ignorance issue is more easily addressed. I've tried a little with humor:

Was just arrested in Irving, Texas for possession of a suspicious white substance pic.twitter.com/9QKk4LZ6Vx

— Rob Graham (@ErrataRob) September 16, 2015

My point is this. Less anger and hate, that'll just drive people away from the lessons they could learn from this incident. Instead, more humor, and more bringing people up -- like the President's tweet.

How to hack my Tesla

This post is just for my own notes. I'm buying a new car (arrives in October) and I need to gather up notes on how to hack it.

To start with is the generic car hacking information. One good source I found is the Car Hacker's Handbook, which has a good explanation of the basics.

Another good start is the various papers produced by Charlie Miller and Chris Valasek, such as their early work and their latest Jeep hack. [1] [2]

Specifically to my car, a Tesla, there is this site that documents all the undocumented bits about the car, such as listing the 56 CPUs found in the car.

Specifically, there is the work by Kevin Mahaffey and Marc Rogers covering their Tesla hacking. I hate them, because they've already done some of the obvious things I would've tried first, such as popping up an X Window on the display.

Anyway, this post is for my own benefit, so when I lose my notes, I can find them again by googling. Maybe other people in similar situation might find it a bit useful, too.

What's that drama?

The infosec community is known for its drama on places like Twitter. People missing the pieces can't figure out what happened. So I thought I'd write up the latest drama.

It starts with "Wesley McGrew" (@McGrewSecurity), an assistant professor at Mississippi state. He's been a frequent source of infosec drama for years now. Since I, myself, don't shy away from drama, I can't say that he's necessarily at fault, I'm just pointing out that he's been involved in several Big Infosec Drama Blowups.

Then there is "Adrian Crenshaw" (@irongeeek_adc) (aka. "Irongeek") who maintains a website http://irongeek.com, which hosts a lot of infosec videos. He'll work with conferences to make sure talks get recorded and uploaded to his site. A lot of smaller cons host their video there. If you frequently watch infosec videos, then you know the site.

I think this specific drama started back in April, when Irongeek made this April Fool's joke:

https://twitter.com/McGrewSecurity/status/583250910387789824

Many, most especially McGew, criticized Irongeek for this, claiming it was an "unfunny slap to women in security".

I don't know when it happened, but Irongeek punished McGrew by blocking students from McGrew's university, Mississippi State. This was noticed last week.

https://twitter.com/McGrewSecurity/status/639160910490259460

Irongeek responded to criticisms by changing the "block" to a simple "warning", and removed the word "mangina".

https://twitter.com/McGrewSecurity/status/639435344908288001

After further drama, Irongeek backed down and removed the thing altogether, so now Mississippi state students see the same site as before.

Today, BSidesLV, the most important of the "small conferences" that work with Irongeek, severed their relationship with the site:

Official Statement from the #BSidesLV BoD, regarding our (former) videographer. http://t.co/CKJbqpm1b0

— BSides Las Vegas (@BSidesLV) September 9, 2015

A lot of people are now upset with BSidesLV because of this. On the other hand, had they kept their relationship with Irongeek, a lot of different people would be upset. There's pretty much nothing they could have done to avoid getting sucked into the drama.

I think this is a complete summary of recent drama.

Update: Not so complete, apparently sponsors and board members left BSidesLV in protest. I don't know which way they protested. Since a lot of these people have personal relationships, there's obviously a lot going on behind the scenes that we are unaware of.

@ErrataRob wait? you missed @TrustedSec and @KryptonSec bouncing as a sponsor and James from @MiltonSecurity leaving the board?

— sno0ose (@sno0ose) September 10, 2015

---

Op-ed

I apologize, but I can't resist commenting.

BSidesLV can't have a relationship with Irongeek if they pull these sorts of stunts. They aren't responding to the content, but that otherwise innocent MSU students had to suffer. They make no mention of the content. In other words, unlike the BSidesSF/VioletBlue drama of a couple years ago, they aren't censoring somebody's speech because of content.

On the other hand, I'm rabidly opposed to anything that even looks like censorship. I'd've hoped for a different resolution, such as a commitment from Irongeek that such things wouldn't happen in the future. It's going to hurt all of us at the next con when talks aren't recorded.

Irongeek's April Fools joke is funny. We are all feminists, but still many of us oppose the "radical feminists". Nothing should be above mockery, most especially the "radical" of anything. Maybe Irongeek's joke was inappropriate -- but before I accept that, you have to show me jokes about radical feminists that meet your criteria of appropriateness.

McGrew is a typical radical feminist who attacks "old white males" with hate speech. He rejects the idea that this is even hate speech. But here's the thing: groups like GamerGate are filled with otherwise feminists who are tired of all the hate directed their way, frustrated by the fact that as white males, it's been declared that they cannot defend themselves in any legitimate way. So they lash out with immature anger, as gamers are apt to do. My point is that we are all feminists, but we are still going to disagree on the particulars. I vehemently disagree with McGrew's approach.

---

Troll

Looking back through McGrew's timeline to get the details for this post, I found this tweet, so I retweeted without comment to troll people. I really am a bad person.

#HackerShoutOut to @irongeek_adc since even if he was jackass yesterday, his conference recordings are indispensable.

— Wesley McGrew (@McGrewSecurity) April 2, 2015